Example: When I try to sign in a service with a Username / Password combination, the error message always returns as "Username or password is invalid." But the actual case is that I input a wrong username which doesn't even exist on this site. Why doesn't the message simply tell me the username doesn't exist?

I tried with several services. Only Facebook tells me my account doesn't exist. Others (Google, Twitter, SlideShare, Yahoo!) just don't rule out the possibility that password is wrong.

I am wondering why this is a common practice. Is it some tradition dated back from old-time limitation which has great potential to improve, or does it behave like this for some legal reason?

6 Answers
6

It makes sense in terms of protecting the privacy of the users, because the feedback (error message) doesn't categorically inform the potentially malicious person or bot that "you found the right username, now all you have to guess/crack is the password"

Thanks Allan! However, in the case when username doesn't exist, is it more friendly to show "username doesn't exist"?
–
0065paulaJun 29 '10 at 4:26

6

Nope, because random people/bots can know if a specific user is registered (if it's supposed to be confidential). It's only advisable if this type of privacy isn't an issue for the system (website, intranet, whatever)
–
Allan CaegJun 29 '10 at 5:27

3

Allan, that doesn't mean it isn't more friendly, though. I categorically agree with the questioner's implicit opinion that such messages are pretty unfriendly - many is the time I'm trying to login to an account and I can't remember if it needs a username in a certain format, if it's an email address, etc. At the very least, I think this should probably be an account option - "Yes, I'm confident that my password is secure enough, so don't worry about revealing that my username exists"
–
Bobby JackJul 29 '10 at 15:45

1

Seems to be a semantics issue. My reply to the comment was along the lines of why this is a common practice, which is the theme of the question. As for whether or not this practice is correct and what we can do about it, it's for a different thread. However, if I was asked if this is good, I would've repeated my answer. In a system where security is so important, this practice makes people comfortable. Those who don't understand what it's for would at least appreciate their safety. It's better for them to complain about this than to get their accounts hijacked.
–
Allan CaegJul 30 '10 at 6:48

1

I would be more user-friendly to tell them whether they got the right user name or not. The security guys fear that the effort to guess a password is not enough, so they hedge the bet by making hackers guess both the password and the username. If the password is strong enough, then there is no need for this extra unfriendliness. The practice in the industry is that the security folks don't trust user to make strong passwords. This justifies an obnoxious user interface.
–
AgileProJan 12 '13 at 21:13

Something that hasn't been mentioned yet. Many services uses email adresses as user names. If the service said wrong password you know you have the right username. That means someone else can find out what services you're using.

Um, as a developer, I have to disagree with you completely - almost every system I have ever seen for validating login either checks each one individually, or returns a success code or enum, not just a single boolean value. The code/enum can be one of any number of states based on the reason for the invalidation. The front end just displays one message for security reasons, nothing more.
–
Charles BoyungJul 20 '10 at 16:25

actually I've seem a lot of system that do : select username from users where username='$username' and password='$password' . So really the answer to this question is yes or no . But I agree that the bigger reason for doing this is to protect the privacy and security of users
–
mihaiJul 23 '10 at 10:55

8

if your query REALLY is "select username from users where username='$username' and password='$password'", you have a whole other level of security hole!
–
Bobby JackJul 29 '10 at 15:41

To answer the last question in the comments to the top answer … for forgotten passwords, the common practice is the forgotten password link. From there, it lets you send a reset email to the email address on file for a given username OR it lets you enter the email address associated with your account. This method ensures that only the account holder has access even if the password is forgotten.

Sometimes extra verification is required to send that email to yourself, such as your account number, SSN, father's middle name, or some such question.

To answer your question, as others have already mentioned, the practice is in order to increase safety, by not allowing a malicious user or script to know whether a given username is taken (available to try to "hack into"). It is not a legal issue, since, as you noted, not all services do this.

Interestingly, though, in practice this is not all that safer given other design decisions (for an email account, all you have to do is send an email and if it doesn't bounce, you have a pretty good idea whether it is available). Your question reminded me of a great article I read about this a while ago:

While researching login patterns in the wild, we also watched some users on our login page, and pinpointed a few smallish things we could change to make getting into the app easier. Our old login form told users, "Your username or password is incorrect," when they may have the username right, but the password was incorrect. If you have 4 possible usernames and 4 possible passwords, you have 16 possible combinations between them—only one of which is correct. That means in this scenario, the user would have 15 chances to make an error when logging in. But when you know specifically that your username is incorrect, odds of failure drop precipitously.

He is referring to the fact that some UX changes in the login screen (for their app) caused a 66% decrease in login failures and a 42% decrease in password resets with an additional 5% decrease the following month.

While researching login patterns in the wild, we also watched some users on our login page, and pinpointed a few smallish things we could change to make getting into the app easier. Our old login form told users, "Your username or password is incorrect," when they may have the username right, but the password was incorrect. If you have 4 possible usernames and 4 possible passwords, you have 16 possible combinations between them—only one of which is correct. That means in this scenario, the user would have 15 chances to make an error when logging in. But when you know specifically that your username is incorrect, odds of failure drop precipitously.

The engineering team, ever mindful of security, argued that being generic about username and password errors makes it harder for bad guys to guess usernames by pounding the form with random words or email addresses. But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists, and is not a significant security risk for the bajilions of sites that have them.

So, though it might seem that not informing the user trying to login that "the username exists but the password is wrong" is a security feature, this can be undermined by other decisions, and in reality is fraught with another set of problems itself (bad logins, password resets.. etc). So each case needs to consider all of this in order to make the best decision.